Описание
Parse Javascript SDK vulnerable to prototype pollution in Parse.Object and internal APIs
Summary
Prototype pollution capabilities on various APIs.
Details
Injection of malicious payload allows attacker to remotely execute arbitrary code. Parse.Object and internal APIs are affected, specifically:
ParseObject.fromJSONParseObject.pinParseObject.registerSubclassObjectStateMutations(internal)encode/decode(internal)
PoC
Demonstrative tests added as part of the fix.
References
Ссылки
- https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3
- https://nvd.nist.gov/vuln/detail/CVE-2025-62374
- https://github.com/parse-community/Parse-SDK-JS/pull/2749
- https://github.com/parse-community/Parse-SDK-JS/commit/00973987f361368659c0c4dbf669f3897520b132
- https://github.com/parse-community/Parse-SDK-JS/releases/tag/7.0.0-alpha.1
Пакеты
Наименование
parse
npm
Затронутые версииВерсия исправления
< 7.0.0
7.0.0
Связанные уязвимости
CVSS3: 6.4
nvd
4 месяца назад
Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations (internal), and encode/decode (internal) are affected. This vulnerability is fixed in 7.0.0.